HackRF One
The HackRF One is an open-source software-defined radio (SDR) peripheral developed by Great Scott Gadgets, functioning as a half-duplex transceiver capable of transmitting or receiving radio signals across a broad frequency range from 1 MHz to 6 GHz.[1] It operates at up to 20 million samples per second with 8-bit quadrature sampling (8-bit in-phase and 8-bit quadrature components), enabling software-configurable receiver and transmitter gain along with baseband filtering.[1] Powered via USB 2.0 and featuring an SMA female antenna connector, the device supports antenna port power output of 50 mA at 3.3 V, making it suitable for a variety of external antennas and expansions.[1] Designed by Michael Ossmann, founder of Great Scott Gadgets, the HackRF One originated from an open-source hardware project aimed at democratizing access to advanced radio tools.[2] The initiative gained momentum through a successful Kickstarter campaign launched in July 2013, which funded the initial production run and emphasized its role as a low-cost platform for radio signal experimentation from 30 MHz to 6 GHz (later extended to 1 MHz in production models).[3] All hardware designs, firmware, and host software are released under open licenses, with resources hosted on GitHub, allowing community contributions and custom modifications.[4] The HackRF One is compatible with major SDR software frameworks, including GNU Radio, SDR#, and sdrshell, facilitating its integration into diverse applications such as radio testing, protocol analysis, and signal processing.[1] It has become a staple in wireless security research for vulnerability assessment in IoT devices and audience response systems, as well as in educational and academic settings for tasks like spectrum monitoring, OFDM signal transmission, and GPS signal emulation.[5][6][7] In professional contexts, it supports real-time centralized spectrum monitoring architectures and machine learning-based classification of wireless signals, underscoring its versatility as a tool for advancing radio technologies.[8][9]Introduction
Overview
The HackRF One is a half-duplex transceiver capable of transmitting and receiving radio signals from 1 MHz to 6 GHz.[1] Manufactured by Great Scott Gadgets, a company founded by Michael Ossmann, the device was initially launched through a successful Kickstarter campaign in 2013 to fund its production.[10][3] As an open-source software-defined radio (SDR) peripheral, the HackRF One connects to a host computer via USB and processes radio signals digitally through user-controlled software, enabling flexible signal modulation, demodulation, and analysis without dedicated hardware for specific frequencies or protocols.[1][11] This open-source hardware and software approach, with designs freely available for modification and extension, plays a key role in democratizing radio technology by empowering researchers, hobbyists, and innovators to experiment with RF systems free from proprietary limitations.[4][10]Development History
The HackRF One project originated in June 2012 when Michael Ossmann, a security researcher with expertise in wireless vulnerabilities, published a blog post outlining his vision for an affordable, open-source software-defined radio (SDR) capable of transmitting and receiving signals across a wide frequency range. This conception aimed to democratize access to SDR technology, previously limited by high costs and proprietary designs, by leveraging open hardware principles to enable experimentation in radio hacking and [signal processing](/page/Signal processing).[12] To advance this initiative, Ossmann founded Great Scott Gadgets in 2012, a company dedicated to developing and producing open-source hardware tools for wireless security and innovation. Under this banner, the project progressed from prototype stages, including early beta versions like the HackRF Jawbreaker demonstrated at conferences, to a manufacturable design. The company's focus on transparency and community involvement laid the groundwork for collaborative development.[13] A pivotal milestone came in late July 2013 with the launch of a Kickstarter crowdfunding campaign for the HackRF platform, which sought $80,000 but ultimately raised $602,960 from 1,991 backers, far exceeding expectations and unlocking stretch goals for expanded production. This funding enabled the first manufacturing run, transitioning the project from concept to tangible hardware. The campaign's success highlighted growing interest in accessible SDR tools among hobbyists, researchers, and security professionals.[3] The initial commercial release of the HackRF One occurred in late 2014, with shipments to Kickstarter backers and initial customers beginning that year, marking the device's entry into widespread use. Development continued post-launch through open-source contributions on GitHub, where the community drove iterative improvements to firmware, host software like hackrf-tools, and minor hardware revisions for enhanced stability and performance. By 2016, the HackRF One had achieved mature product status, facilitating integrations such as the community-developed PortaPack add-on, which added a portable touchscreen interface and onboard processing capabilities without requiring a host computer.[14] Development has continued into the 2020s, including the announcement of the HackRF Pro in June 2025, featuring improvements such as a frequency range from 100 kHz to 6 GHz, USB-C connectivity, and a temperature-compensated crystal oscillator (TCXO), with initial shipments beginning in December 2025.[15]Hardware Design
Key Components
The HackRF One has undergone several hardware revisions (r1 through r9) primarily to address component availability issues, with later versions substituting the MAX2837 transceiver with the equivalent MAX2839 while maintaining core performance and specifications.[14] The HackRF One's core hardware revolves around a set of integrated chipsets that enable its software-defined radio capabilities. The wide tuning range from 1 MHz to 6 GHz is facilitated by a Si5351 programmable clock synthesizer, which generates local oscillator (LO) signals, and a RFFC5071 mixer, which converts the RF signal to an intermediate frequency (IF) in the 2.3 to 2.7 GHz range.[16] The MAX2837 serves as the primary RF transceiver, handling signal transmission and reception in the 2.3 to 2.7 GHz range while interfacing with broader frequency coverage through additional components.[16] A CoolRunner-II Complex Programmable Logic Device (CPLD) manages signal processing tasks, including sample rate conversion and interfacing between analog and digital domains to facilitate flexible waveform handling.[16] The LPC4320 ARM Cortex-M4 microcontroller oversees the USB interface, managing data transfer between the host computer and the radio frontend for real-time control and streaming.[17] Connectivity on the HackRF One is designed for straightforward integration into RF setups. It features three SMA female connectors: one for the main antenna port, one for clock input to support external synchronization, and one for clock output or expansion purposes.[1] Additionally, a USB 2.0 Hi-Speed port provides the primary connection to a host device, enabling plug-and-play operation with compatible software.[1] The device is powered exclusively via USB, drawing 5V from the host connection to supply its internal circuitry. A dedicated 3.3V rail is provided at the antenna port, capable of delivering up to 50 mA for powering active antennas or low-power accessories, with software control for enabling or disabling this feature to optimize efficiency.[1][18] In terms of form factor, the HackRF One employs a compact printed circuit board (PCB) measuring approximately 120 mm by 75 mm, housed in an optional injection-molded plastic enclosure for protection during use.[19] The hardware design is fully open-source, with schematics, PCB layouts, and firmware available on GitHub under a Creative Commons Attribution-ShareAlike license, allowing users to modify, replicate, or extend the design.[4][17] Expandability is supported through internal pin headers that expose interfaces for custom add-ons, enabling enhanced configurations beyond the base unit. For instance, the official Opera Cake board stacks onto these headers to provide multi-port antenna switching, allowing up to eight antenna connections for automated RF testing setups.[20] The design also accommodates third-party attachments like the PortaPack, which adds a touchscreen interface and battery for standalone portable operation without a host computer.[21]Technical Specifications
The HackRF One is a half-duplex software-defined radio transceiver capable of operating across a continuous frequency range of 1 MHz to 6 GHz, enabling broad-spectrum signal reception and transmission without hardware limitations on modulation or demodulation.[1][11] This wide coverage supports applications from low-frequency HF bands to microwave frequencies, with performance varying by band due to the analog front-end design. The device achieves an instantaneous bandwidth of up to 20 MHz, corresponding to a maximum quadrature sample rate of 20 million samples per second (MS/s), allowing real-time processing of wideband signals.[1][11] Digital resolution is provided by 8-bit in-phase (I) and quadrature (Q) sampling, resulting in 8-bit quadrature samples that balance data throughput with USB constraints while supporting sufficient dynamic range for many software-defined tasks.[1][11] Transmit power is software-configurable and frequency-dependent, reaching a maximum of 15 dBm in lower bands (e.g., 1–10 MHz and 2170–2740 MHz), but decreasing to as low as -10 dBm above 4 GHz; this is achieved through adjustable gain stages including RF amplification (0 or ~11 dB) and IF amplification (0–47 dB in 1 dB steps).[11] Receive sensitivity is approximately -100 dBm or better in optimal configurations, with measured noise floors around -90 dBm and minimum detectable signals near -86 dBm for SNR ≥ 5 dB at mid-VHF frequencies (e.g., 393 MHz), influenced by gain settings such as RF (0 or ~11 dB), low-noise amplifier (LNA, 0–40 dB in 8 dB steps), and baseband VGA (0–62 dB in 2 dB steps).[22][11] The half-duplex architecture prevents simultaneous transmission and reception, requiring software to switch modes, which introduces minor latency but simplifies hardware design.[1][11] Data transfer occurs via a High Speed USB 2.0 interface (Micro-B connector), providing up to 480 Mbps throughput while drawing power from the host (typically 300–500 mA), with no onboard battery or external power option.[1][11] All signal processing, including modulation, encryption, and filtering, is performed in software, as the hardware lacks dedicated digital signal processing (DSP) cores or built-in cryptographic modules.[1][11]| Parameter | Specification |
|---|---|
| Frequency Range | 1 MHz to 6 GHz (continuous) |
| Instantaneous Bandwidth | Up to 20 MHz (2–20 MS/s quadrature sample rate) |
| Sample Resolution | 8-bit I/Q (quadrature) |
| Transmit Power (max) | 15 dBm (varies by frequency: 5–15 dBm low bands, down to -10 dBm at 6 GHz) |
| Receive Sensitivity | ~ -100 dBm or better (noise floor ~ -90 dBm, min detectable ~ -86 dBm at VHF) |
| Operation Mode | Half-duplex (TX or RX, not simultaneous) |
| Interface | USB 2.0 High Speed (Micro-B); software-defined processing only |
Software Ecosystem
Supported Platforms
The HackRF One is compatible with GNU Radio, an open-source toolkit for signal processing that enables users to create flow graphs for tasks such as modulation and demodulation of radio signals.[23][1] This integration allows for flexible, graphical development of software-defined radio (SDR) applications, leveraging HackRF One's capabilities in both reception and transmission.[24] Other software with direct support includes GQRX for cross-platform spectrum visualization and reception, SDR Console for advanced receiver features, and QSpectrumAnalyzer for fast spectrum analysis.[23] On Windows, the device supports SDR# (also known as SDR Sharp), a popular tool for spectrum visualization, signal decoding, and basic receive/transmit operations.[23][25] SDR# provides an intuitive interface for real-time spectrum analysis and is particularly accessible for users on this platform, often paired with the Zadig driver for USB connectivity.[26] Cross-platform support is facilitated by the libhackrf library, which offers low-level control over the device's operations and is compatible with Linux, macOS, and Windows.[27][4] Installation via package managers—such as apt on Ubuntu/Debian, Homebrew on macOS, or radioconda on Windows—ensures broad accessibility across these operating systems.[27] This library underpins many higher-level tools and enables direct interaction with the hardware for custom applications. Firmware options include the official HackRF firmware, available through Great Scott Gadgets' releases, which provides core functionality for USB-based operations.[28] Community-developed variants, such as the Mayhem firmware, enhance compatibility with add-ons like the PortaPack, adding built-in applications for standalone signal analysis without a host computer.[29] Comprehensive documentation, including setup guides for major operating system distributions like Ubuntu, macOS, Windows, and FreeBSD, is hosted at hackrf.readthedocs.io.[27] These resources cover installation of libhackrf and related tools, troubleshooting, and firmware updates to ensure seamless integration.Programming Interfaces
The primary programming interface for the HackRF One is libhackrf, a low-level C library developed by Great Scott Gadgets that enables host software to initialize, configure, and control the device over USB.[27] This library provides essential functions such ashackrf_init() for global library initialization, hackrf_open() to establish a connection to a specific device, hackrf_start_rx() and hackrf_start_tx() to begin sample streaming for reception or transmission, hackrf_set_freq() for tuning the operating frequency, and hackrf_set_lna_gain() along with similar functions for adjusting receive and transmit gains.[4] These APIs facilitate direct interaction with the hardware, supporting sample rates up to 20 MS/s and bandwidths suitable for software-defined radio applications.[4]
Communication between the host and HackRF One occurs via a custom USB 2.0 protocol utilizing bulk transfers for I/Q sample data on a dedicated endpoint, achieving throughputs up to approximately 40 MB/s under optimal conditions.[4] The protocol leverages scatter-gather DMA to handle high-bandwidth operations efficiently, minimizing CPU overhead during continuous streaming.[30]
For higher-level development, Python bindings are available through the pyhackrf package, which wraps libhackrf functions to enable scripting and rapid prototyping without direct C programming.[31] Additionally, the SoapyHackRF module integrates HackRF One with the SoapySDR framework, providing a vendor-neutral API for abstracting device-specific details across multiple SDR hardware platforms.[32]
Firmware updates and CPLD configuration are managed using tools from the hackrf-tools suite, including hackrf_spiflash for writing firmware binaries (e.g., hackrf_one_usb.bin) to the device's SPI flash memory via USB.[33] Open-source Verilog bitstreams for the Lattice CPLD are included in the HackRF repository, allowing customization through tools like hackrf_cpldjtag to load SVF files for reprogramming the programmable logic.
libhackrf incorporates error handling via the hackrf_error enumeration, which returns specific codes for issues such as HACKRF_ERROR_NOT_FOUND (device not detected), HACKRF_ERROR_LIBUSB (USB communication failures like detachment), and others related to invalid parameters or hardware faults.[4] Diagnostic utilities like hackrf_info provide status checks for firmware version, serial number, and USB connectivity, aiding in troubleshooting common problems including clock source stability when external references are used.[34]
Applications and Uses
Research and Security
The HackRF One has been instrumental in security research demonstrations at major conferences, enabling the capture and replay of wireless signals to expose vulnerabilities in consumer devices. At DEF CON 23 in 2015, researchers demonstrated replay attacks on remote key fobs for garage doors and vehicles operating at frequencies like 390 MHz, using the HackRF One to record raw I/Q samples with the commandhackrf_transfer -r 390_data.raw -f 390000000 and subsequently replay them via hackrf_transfer -t 390_data.raw -f 390000000, bypassing basic rolling code protections without needing modulation analysis. Similar techniques were extended in demonstrations, such as jamming the original signal while capturing multiple codes for later selective replay, highlighting the device's utility in illustrating roll-jam attacks on automotive systems. At Black Hat Asia 2016, Michael Ossmann presented on rapid radio reversing using the HackRF One, showcasing its role in dissecting proprietary wireless protocols for vulnerability assessment in embedded systems.
In academic studies, the HackRF One has facilitated targeted investigations into critical infrastructure vulnerabilities. A 2015 study on cyber attacks against tactical radio networks employed the HackRF One alongside USRP SDRs to simulate jamming, eavesdropping, and replay attacks on military communication systems, identifying weaknesses in frequency-hopping spread spectrum protocols and recommending defensive hardening measures. Researchers have used the HackRF One for GPS spoofing experiments, demonstrating how low-cost SDRs could manipulate location data in Android devices by overpowering authentic satellite signals. These experiments underscored the HackRF One's half-duplex transmission capabilities, limited to 15 dBm output, as sufficient for close-range signal injection in controlled settings.
The device has also supported protocol analysis in reverse-engineering efforts for low-power wireless standards. For Zigbee, academic work has utilized the HackRF One to capture and decode IEEE 802.15.4 frames in IoT networks, revealing encryption flaws in commercial smart home devices by replaying intercepted packets to unauthorizedly control endpoints like lights and sensors. In Bluetooth Low Energy (BLE) analysis, the HackRF One has enabled man-in-the-middle simulations by sniffing encrypted connections and injecting crafted advertisements, exposing pairing vulnerabilities in medical wearables and allowing unauthorized data exfiltration through protocol dissection at 2.4 GHz.
Ethical considerations in HackRF One usage emphasize its application for defensive security research, with strict adherence to legal frameworks such as FCC regulations in the United States, which prohibit unlicensed transmissions that could interfere with licensed services. Researchers stress conducting experiments in isolated environments, such as Faraday cages, to avoid spectrum pollution, and warn that exceeding the device's 10-15 dBm transmit power risks violating interference limits under 47 CFR Part 15, potentially leading to fines; all demonstrations must prioritize vulnerability disclosure to manufacturers rather than exploitation. The open-source nature of the HackRF One promotes responsible use in authorized penetration testing, but users are cautioned against deploying it in public spaces without permits to prevent unintended disruptions to emergency communications.
Notable projects include its integration in DARPA-funded radio research for spectrum monitoring, where the HackRF One's wideband reception from 1 MHz to 6 GHz has been leveraged in low-cost prototypes for real-time RF environmental awareness, as seen in studies on electromagnetic sensing that employ it to scan and classify signals in tactical scenarios. Initially developed with DARPA support to democratize SDR access, the device has evolved into a tool for advanced spectrum analysis in military applications, enabling passive detection of unauthorized emitters without high-end equipment.